Change-Id: I4971534be80cb111f02cd3dc4d2e8c4ad6afdb5f
2.3 KiB
Keycloak support
launchpad blueprint: https://blueprints.launchpad.net/vitrage/+spec/keycloak-support
As part of an on going effort to make vitrage to be able to work also in a non OpenStack environment (in addition to the default OpenStack environment). We should be able to make vitrage work with a different authorization server instead of keystone. An optional authorization server can be Keycloak which is an open source Identity and Access Management solution aimed at modern applications and services
Problem description
Vitrage at the moment can only work in an OpenStack environment because it needs Keystone for authorization. We should support other authorization such as Keycloak.
Proposed change
New auth_mode in api section in Vitrage config file:
[api]
auth_mode = keycloak
New keycloak section with the auth_url in Vitrage config:
[keycloak]
auth_url = http://[keycloak server]:[keycloak port]/auth
The Vitrage server will use a new middleware which will authenticate with the Keycloak server once an api request is received.
A new auth plugin will be added to the vitrage client which will get the token from the Keycloak server and sent it with the api request.
Alternatives
None
Data model impact
None
REST API impact
When using the client we should use the keycloak-plugin
Versioning impact
None
Other end user impact
None
Deployer impact
To use the Keycloak Authorization there is a need to define it in the Vitrage config file.
Developer impact
None
Horizon impact
None
Implementation
Assignee(s)
- Primary assignee:
-
eyalb1
Work Items
- Create Keycloak plugin in client
- Create Keycloak plugin in server
Dependencies
None
Testing
This blueprint requires unit tests.
Documentation Impact
The usage of the KeyCloak authorization will be documented